It can sometimes be time-consuming at best, and annoyingly frustrating at worst, to navigate an IT certification vendor's web site to glean information regarding a particular program. Today we examine the Certified Information Systems Security Professional (CISSP), sponsored by the International Information Systems Security Certification Consortium, or (ISC)2.
In the name of brevity, I assume that you know what the CISSP title is and why you would want to earn it. If you are unfamiliar with the "whats and whys" of the CISSP, then the CISSP Wikipedia entry is a decent place to start. (Important Note: All information here is current as of January 2010. Prices, requirements, and testing elements may change. Please check the (ISC)2 site for current standards at the time you're reading this.)
Becoming a CISSP involves four distinct phases:
- Meet Experience Requirements
- Pass the Exam
- Obtain an Endorsement
- Prepare for an Audit
Let us examine each phase in turn.
Meet Experience Requirements
In order to register for the CISSP certification exam, you must demonstrate that you possess a minimum of five years of professional experience in the information security field. Your work history must show that your skill set embraces at least two of the 10 domains in the (ISC)2 CISSP Common Body of Knowledge (CBK).
You can obtain a one-year waiver in the professional experience requirement if you fall into one of the following categories:
- You hold a four-year college degree
- You hold an advanced degree in information security from a U.S. National Center of Academic Excellence in Information Security (CAEIAE)
- You hold a credential from the (ISC)2-approved list; this list includes the Microsoft Certified Systems Engineer (MCSE), the CompTIA Security+, and the Certified Information Systems Auditor (CISA) titles.
Note that you cannot combine two of these approaches; thus, if I hold a bachelor’s degree as well as the CompTIA Security+ certification, I am allowed only one year off the five-year professional experience requirement.
Pass the Exam
In order to meet this requirement, you must pass the CISSP certification exam with a score of 700/1000 or greater. You register to take the CISSP directly with the (ISC)2; note that you may have to travel to reach your closest authorized testing location.
Exam pricing for U.S. candidates is either $549 or $599 depending upon whether you choose to do an early registration or a standard registration.
The exam itself is a test of endurance; the pencil-and-paper exam consists of 250 multiple-choice questions in which you are given 6 hours to answer as many of them as you can correctly.
Obtain an Endorsement
Once you pass the CISSP exam, your work still is not complete. You must ask an active (ISC)2 credential holder who can attest to your industry experience to complete an endorsement form for you. Once the (ISC)2 receives and approves the endorsement, you can finally heave a sigh of satisfaction: You are a real-live CISSP!
Prepare for an Audit
It is crucial that you not fudge or cut any corners in your CISSP application process, not the least reason being that the (ISC)2 randomly selects (ISC)2-certified individuals for auditing. If you are found to have falsified any of your application data, consider the revocation of your CISSP title a foregone conclusion. Take-home message: Honesty is the best policy (and is a core principle of the (ISC)2 Code of Ethics, which you also must affirm during your application process).
Certification Expiry/Renewal Information
The CISSP certification has a three-year lifespan. Consequently, it is imperative that you make time for at least 120 continuing professional education (CPE) credits within each three-year interval. Of these 120 credits, at least 80 must be Type A, or directly relating to the information security profession. The remaining 40 credits can be either Type A or Type B; Type B credits constitute other forms of professional skills development. The (ISC)2 will provide you with full information on CPEs once you are certified.